[Xen-devel] Re: [PATCH] vif-common.sh to support tap network dev

To:	xen-devel@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-devel] Re: [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain
From:	Teck Choon Giam <giamteckchoon@xxxxxxxxx>
Date:	Tue, 7 Jul 2009 19:49:15 +0800
Delivery-date:	Tue, 07 Jul 2009 04:49:36 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=kX+jlLk2P8hlH8c5l82RmjbeleUEJscoKDZu/nIbu/0=; b=kuEQg/Dks1gUX/Wgc6b1SzOdjW/94ctxq7FK7JZMTrixFwFe+T6ZDlky7YGF8kQKtx VIhhV88UuBHxuzeJ1drIrggawdVU15/po8nh/2gLanp82qorIGQvz0XBgmXaNNCYaqu/ cnXjH1jvt+7zsXyclFEdzFcY3Lrq0jIh2oPD8=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=poqr9zAfhb447+zc0NnSvUtbyj8YYpE2NdTzxQAdkU0lP31rzp1k+MfWn8keFB0aqz oSzV8fqvD+cqmsCqsJUczlLlcDlfHia+b/MqFn89JJacyMJbAQyMKiWiFkZ2Wvl4lhbq 08sttzTboONW5nQwi2qYqewNaaHopRojU1DFo=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<9b5c9bb30907070429m19fa021yacef5f3c9d664ec5@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<9b5c9bb30907070429m19fa021yacef5f3c9d664ec5@xxxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

Sorry, the previous patch I sent in only support xm create to add in
iptables FORWARD chain but when you xm shutdown the tap related
ruleset is not removed from iptables FORWARD chain.  Below is the
patch which support xm create and xm shutdown.

--- vif-common.sh.orig  2009-07-07 19:09:39.000000000 +0800
+++ vif-common.sh       2009-07-07 19:47:48.000000000 +0800
@@ -73,6 +73,24 @@
     local c="-D"
   fi

+  # Added support for tap network devices in iptables FORWARD chain as this
+  # is required if antispoof is enabled or otherwise all packets to/from tap
+  # devices will be dropped.
+  # Start adding by Giam Teck Choon.
+  local tapif=`echo $vif | sed 's/vif/tap/'`
+  # for xm create
+  local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+  # for xm shutdown
+  local checktapstate=`iptables -L -n | grep "state
RELATED,ESTABLISHED PHYSDEV match --physdev-out ${tapif}"`
+
+  if [ -n "$checktapif" ] || [ -n "$checktapstate" ] ; then
+    iptables "$c" FORWARD -m physdev --physdev-in "$tapif" "$@" -j ACCEPT \
+      2>/dev/null &&
+    iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+      --physdev-out "$tapif" -j ACCEPT 2>/dev/null
+  fi
+  # End adding by Giam Teck Choon.
+
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
     2>/dev/null &&
   iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \


Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] Re: [PATCH] vif-common.sh to support tap network devices in